Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
2.3.0, 2.4.0
-
None
Description
Our institution adds a content security policy header to Grouper pages at the web server level. We have had to allow inline scripting including evals, which is fine. We have not enabled iframes, which for the most part has no problems. But it does affect the "import a list of members" page, which no longer works because browsers refuse to do the ajax call since it creates a temporary iframe.
CSP Header:
Content-Security-Policy: frame-ancestors 'none'; default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
|
Browser debugger log:
Refused to display 'http://localhost/grouper-dist/grouperUi/app/UiV2GroupImport.groupImportSubmit' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
|
I can't see what the point of the iframe is, since there is only the standard browser file picker that still works. The same form is being used for the file picker, individual member lookups, and copy/paste lists into a textarea. So the iframe is an issue even when not using the file upload at all.
I only see the iframe being set as an option for the ajax call. If this setting is removed, does the file upload still work? Or does the ajax file upload create its own frame no matter what, so the only solution is to modify the content security policy?